All news with #phantom taurus tag

Chinese APT 'Phantom Taurus' Targets Gov and Telecom

🔎 Researchers at Palo Alto Networks have attributed two years of coordinated espionage to a previously unreported Chinese-aligned threat actor dubbed Phantom Taurus. The group targets government and telecommunications organizations across Africa, the Middle East, and Asia, focusing on foreign ministries, embassies, geopolitical events and military operations to maintain persistent covert access. Its toolkit includes a new IIS web-server backdoor suite called NET-STAR, DNS- and remote-access tools, in-memory implants and a wide mix of dual-use utilities. Operators have shifted from Exchange mailbox harvesting via ProxyLogon and ProxyShell exploits to targeted SQL database searches and WMI-driven data extraction.

Phantom Taurus: China-Aligned Hackers Target State, Telecom

🔍Phantom Taurus, newly designated by Unit 42, is a China-aligned cyber-espionage group that has targeted government and telecommunications organizations across Africa, the Middle East and Asia for at least two and a half years. Researchers traced the activity from earlier cluster tracking through a 2024 campaign codename, noting a 2025 elevation to a distinct group. Phantom Taurus has shifted from email-server exfiltration to directly querying SQL Server databases via a custom mssq.bat executed over WMI, and deploys a previously undocumented .NET IIS malware suite dubbed NET-STAR.

Phantom Taurus: China-linked APT Targets Diplomacy

🔍 Palo Alto Networks Unit 42 has attributed a two-and-a-half-year campaign of espionage to a previously undocumented China-aligned actor dubbed Phantom Taurus, which has targeted government and telecommunications organizations across Africa, the Middle East, and Asia. The group uses a bespoke .NET malware suite called NET-STAR to compromise Internet Information Services (IIS) web servers and maintain stealthy access. Observed techniques include exploitation of on-premises IIS and Microsoft Exchange flaws, in-memory payload execution, timestomping and AMSI/ETW bypasses, enabling persistent data collection tied to geopolitical events.